Adobe released version 9 of its popular Flash player in June, boasting 10x performance increases and a variety of new video, audio, and security filters. MySpace worked with Adobe on new security settings for Flash embeds on its sites and required its members upgrade to the new plugin version for access to Flash content on the site. The new player release combined with the MySpace required upgrade created a lot of confusion around the future of embedded widgets on MySpace and other popular web properties. I spoke with Emmy Huang, senior product manager of the Flash 9 plugin at Adobe, to learn more about the changes in Flash 9 and its effect on the Flash and MySpace ecosystem.
The Flash browser plugin has been a huge success on new web communities with its ubiquity across PCs and its efficient bundled audio and video codecs. Research firm NPD found the Flash Player installed on almost 98% of desktops in April, including a 70% penetration for then 7-month-old version 8. Flash is used on sites such as YouTube, Google Video, Flickr, and Photobucket to display rich content on-side or through embeddable widgets added to any web page. The embedded Flash widgets have become popular additions to configurable sites such as MySpace, allowing users to add their favorite video clips, images, or music tracks anywhere they imagine.
Open, yet more secure
Flash 9 adds new options for site owners allowing more control over the embedded content present on their pages. The allowNetworking and allowScriptAccess property tags can be added to HTML markup describing a Flash file to restrict the virtual machine’s permission set within your pages. Emmy mentioned the extra parameters allow websites to “safely provide a controlled embed environment with decreased opportunity for abuse and control.” Without such restrictions it is possible for a Flash widget to take control of the browser window and navigation, open pop-up windows, and other unwanted behavior.
Emmy confirmed MySpace had contacted Adobe about better ways to secure Flash content embedded on their pages and the two companies worked together on an escalated solution included in Flash 9. MySpace began testing the new Flash features two weeks after launch and made the complete switch about 3 weeks after the launch of Flash 9.
MySpace restricts the behavior of Flash embeds, limiting their ability to call external links or URLs by setting allowNetworking to internal. The files can display pictures and videos, but cannot add clickable external links to their Flash files. Flickr can display a slideshow of your latest photographs, but clicking an individual photo will not launch the destination page.
Widget producers need to rethink their embedded content strategy, adding new actionable items to their HTML snippets. You can add a clickable image inside the
object or add new lines to the snippet with links back to the full web page.
Web sites allowing users to insert arbitrary HTML should take a look at the new security restrictions in Flash 9 to limit the actions of such content on site visitors. Flash producers relying on large embedded install bases such as MySpace need to rethink the monetization of those eyeballs, as users are no longer able to visit your full page through on a 425×350 pixel link target at the end of an embedded video.
You can read more about the Flash 9 security measures in Adobe’s white paper.